From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44902)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1b7eHW-0001OV-Lm
	for qemu-devel@nongnu.org; Tue, 31 May 2016 03:40:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kwolf@redhat.com>) id 1b7eHR-0003Ni-KT
	for qemu-devel@nongnu.org; Tue, 31 May 2016 03:40:05 -0400
Date: Tue, 31 May 2016 09:39:54 +0200
From: Kevin Wolf <kwolf@redhat.com>
Message-ID: <20160531073954.GB4415@noname.redhat.com>
References: <1464080368-29584-1-git-send-email-pl@kamp.de>
	<20160531064422.GA21877@ad.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160531064422.GA21877@ad.usersys.redhat.com>
Subject: Re: [Qemu-devel] [Qemu-block] [PATCH] block/iscsi: avoid potential
 overflow of acb->task->cdb
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Fam Zheng <famz@redhat.com>
Cc: Peter Lieven <pl@kamp.de>, pbonzini@redhat.com, qemu-devel@nongnu.org, qemu-block@nongnu.org, qemu-stable@nongnu.org

Am 31.05.2016 um 08:44 hat Fam Zheng geschrieben:
> On Tue, 05/24 10:59, Peter Lieven wrote:
> > at least in the path via virtio-blk the maximum size is not
> > restricted.
> > 
> > Cc: qemu-stable@nongnu.org
> > Signed-off-by: Peter Lieven <pl@kamp.de>
> > ---
> >  block/iscsi.c | 7 +++++++
> >  1 file changed, 7 insertions(+)
> > 
> > diff --git a/block/iscsi.c b/block/iscsi.c
> > index 2ca8e72..e7d5f7b 100644
> > --- a/block/iscsi.c
> > +++ b/block/iscsi.c
> > @@ -833,6 +833,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
> >          return &acb->common;
> >      }
> >  
> > +    if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
> > +        error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
> > +                     acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
> > +        qemu_aio_unref(acb);
> > +        return NULL;
> > +    }
> > +
> >      acb->task = malloc(sizeof(struct scsi_task));
> >      if (acb->task == NULL) {
> >          error_report("iSCSI: Failed to allocate task for scsi command. %s",
> 
> Is it better to invoke the cb and report -EINVAL to the caller?

By the way, when returning NULL, it looks like bdrv_co_do_ioctl()
leaks its BdrvIoctlCompletionData. This code was introduced by your
commit 5c5ae76a ("block: Emulate bdrv_ioctl with bdrv_aio_ioctl and
track both").

Kevin